House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices

A new bill (HR 7898) has been passed by the House Energy and Commerce Committee which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been adopted by HIPAA-covered entities and business associates when making certain determinations, such as financial penalties following security breaches or for other regulatory purposes.

The HIPAA Safe Harbor Bill, if signed into law, would reward covered entities and business associates that have met cybersecurity practices through reduced financial penalties and shorter compliance audits. The legislation calls for the HHS Secretary to consider whether the entity has adequately demonstrated recognized security practices have been in place for no less than 12 months, which may mitigate financial penalties, result in an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule violations.

The bill defines ‘Recognized Security Practices’ as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

The bill also confirms that its aim is to reduce potential sanctions, penalties, and the length of audits when cybersecurity best practices are followed, and not to give the HHS the authority to increase audit lengths, fines, and penalties when an entity is discovered not to be in compliance with recognized security standards.

The bill has received considerable support from health IT industry stakeholder groups, including HITRUST. HITRUST believes the legislation will help to improve the cybersecurity posture of the healthcare industry, will encourage healthcare organizations to take a more proactive approach to HIPAA compliance, and will ensure entities that have achieved HITRUST Cybersecurity Standard Framework (CSF) Certification are recognized for their proactive approach to protecting healthcare data.

The bill also has the backing of the Healthcare and Public Health Sector Coordinating Council (HSCC), which believes the legislation will act as a positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and patient safety.

Update: December 19, 2020 – The unchanged bill was passed by the Senate. The bill will not go to the President who will decide whether to sign the bill into law or veto it.


Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.